The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 2,318 other followers

.NET SecureString – storing/retreiving passwords and other sensitive data

Posted by jpluimers on 2011/08/31

Let me start that you should store as little sensitive information as possible. But if you do, you should store it in a secure way. That’s why the .NET 2.0 introduced the SecureString class.

I won’t go into detail here, as the links below and the demo source do that much better than I can:

One warning: be very cautious when you convert a SecureString in a regular unsecure array of characters, string, or compare the unsecured content. To quote Fabio Pintos, everytime you do, a little village bursts on fire. When you access it in an insecure way, make sure it is pinned, clear and release the insecure memory as soon as possible.

The problem with a garbage collected environment like .NET is that strings live on the heap, and you can’t deterministically eliminate a string from memory like you could in deterministic environment like Delphi or C/C++.

Have fun with it!


2 Responses to “.NET SecureString – storing/retreiving passwords and other sensitive data”

  1. christophe said

    Lives on the heam? ;)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

<span>%d</span> bloggers like this: